There is a vulnerability that exists in the current version of Google’s Chrome browser that can allow your Windows Login, or Network Login, credentials to be pilfered by a remote hacker.
The problem occurs by having Chrome download a harmless .SCF file. These files are very much like the .LNK files of old. SCF stands for “Short-Cut File”. As researcher Bosko Stankovic points out in his original post here, a SCF file might look something like this:
Still, with the secure hash captured, the attacker at 220.127.116.11 can do a few things:
- Bruce-Force the secure hash and recover the plaintext password using widely-available NTLM tools.
- Feed the hash into another Windows system for authentication, say an Exchange Server (the plaintext password needn’t even be decrypted).
- Use SMB Relay tools to allow the hacker to access the various other accounts that might be associated with the user, such as OneDrive, Skype, Office 365, Xbox Live, etc.
- Change Chrome settings to always ask where to save each file before downloading. The user can cancel the .SCF file download at that time.
- If you have a good firewall/UTM system, you can have it block the downloads of .SCF files.
- Perhaps the most reasonable solution would be to go into the network firewall/UTM and block incoming and outgoing TCP ports 139 and 445.
- Switch to another browser (Internet Explorer, Edge, Firefox, Opera, Safari, etc.).